After configuring SSL with test (self-signed) certificates for an Oracle Beehive environment with multiple instances, you may receive an alert message similar to the following:

You have received an invalid certificate.... Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

In this scenario, create a self-signed certificate for each Oracle Beehive instance with a unique serial number. If you are using OpenSSL to create self-signed certificates, use the -set_serial option:

Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates during the installation of one or more Oracle Beehive instances:

Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Remove the test certificates using Oracle Wallet Manager from the wallets in Oracle Beehive. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default and <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

For the wallet located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for the Oracle Beehive server using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Repeat this step for the wallet located in <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

Install an additional Oracle Beehive instance (software only install). In the following steps, this instance will be referred to as the second instance.

Replace orapki and Oracle Wallet Manager (owm.exe) binaries of the second instance with those from the first instance. Create new wallets located in <Oracle Beehive new instance home>\opmn\conf\ssl.wlt\default and <Oracle Beehive new instance home>/Apache/Apache/conf/ssl.wlt/default\Apache\Apache\conf\ssl.wlt\default. Refer to "Configuring TLS with Oracle Wallet".

Remove test certificates using Oracle Wallet Manager from the wallets in <Oracle Beehive new instance home>\opmn\conf\ssl.wlt\default and <Oracle Beehive new instance home>\Apache\Apache\conf\ssl.wlt\default, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

Repeat Step 8 for the second instance.

Run the Config Wizard for the second instance and complete the configuration.

Configure TLS on all Oracle Beehive instances.

If you want to install another Oracle Beehive instance, repeat Steps 11 to 15.

Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive

The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive instances:

Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.

For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Choose one of your Oracle Beehive instances on which to perform Steps 4 to 7 (you will repeat these steps on your other instances later). Configure TLS on the Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".

Remove the test certificates from the wallets of the Oracle Beehive instance. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default and <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

For the wallet located in <Oracle Beehive home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for Oracle Beehive using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".

Repeat this step for the wallet located in <Oracle Beehive home>\Apache\Apache\conf\ssl.wlt\default.

If you have multiple Oracle Beehive instances, repeat Steps 4 to 7 for each of your instances.

For the wallet located in <Oracle Beehive DMZ home>\opmn\conf\ssl.wlt\default, create a self-signed server certificate for the Oracle Beehive DMZ instance using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. For more information, refer to "Creating Self-Signed Certificate and Importing it into Wallet"

Repeat this step for the wallet located in <Oracle Beehive DMZ home>\Apache\Apache\conf\ssl.wlt\default.

Create your own certificate authority. This step uses OpenSSL. For more information about OpenSSL, refer to http://www.openssl.org/.

openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 365

This command generates two files named cakey.pem and cacert.crt.

Create and export a certificate request with Oracle Wallet Manager:

Run Oracle Wallet manager, <Oracle Beehive home>\bin\owm. (Use <Database home>\bin\owm instead if you have not installed any Oracle Beehive instances.)

Open the wallet (to which you want to add the certificate).

Create a certificate request. Click the Operations tab. Click Add Certificate Request. Fill out the form. The Common Name should be the name of the server for which you are creating the certificate (such as the name of the Oracle RAC node). Click OK.

Save the wallet.

Click the Operation tab. Click Export Certificate Request. Enter the path and file name of the certificate request. These steps assume that the name of this file is certreq.csr. (Keep Oracle Wallet Manager open; you will use it in Step 4.)

From a command prompt, generate a server certificate with the following command:

Repeat Steps 2 to 5 (except Step 1; you can use the same cakey.pem and cacert.crt files for other servers) for each server for which you want to create a certificate. (In particular, you would repeat these steps for each Oracle RAC node.)

Using Oracle Wallet to Create Self-Signed Certificate

Alternatively, you may use Oracle Wallet to create a self-signed certificate.

Add a self-signed certificate to the wallet with the following command:

The directory <Oracle home>/Apache/Apache/conf/ssl.wlt/default/ is the Oracle Beehive default wallet directory. CN=user is the distinguished name of an arbitrary user who will be the certificate owner.

With your certificate authority (CA) and your certificate request (certificate_request.txt), create a signed user certificate. In addition, export the trusted certificate from your CA. These steps use the file user_certificate.txt as the signed user certificate and the file trusted_certificate.txt as the trusted certificate exported from your CA.

You may use Oracle Wallet as a CA for testing purposes by following these steps.

Create an auto-login wallet to act as a certificate authority. These steps assume that this wallet is stored in /private/ca_wallet. Create a signed certificate from the request for test purposes:

Install your first Oracle Beehive application tier. Note that this application tier, by default, will have SSL disabled for Oracle Notification Service (ONS), which is used by OPMN of this application tier to communicate with other OPMNs in the site. In the next step, you will disable SSL (if necessary).

Ensure that the value of NotificationServerSslEnabled in the _current_site:OpmnCluster component in the first Oracle Beehive application tier is false: